#54362 (Wrong Escaping Function) – WordPress Trac
#1
@Presskopp
3 years ago
doesn't look like an error to me. This is the translation function used on several places for the same string
wp-admin/freedoms.php:94
wp-admin/includes/plugin-install.php:273
wp-admin/includes/plugin-install.php:700
wp-admin/plugin-install.php:89
wp-admin/plugins.php:550
#2
@dimadin
3 years ago
__() is function used for translation. In this case, we are allowing translators to change URL (to point to different language version of https://wordpress.org/plugins/, for example https://de.wordpress.org/plugins/, https://sr.wordpress.org/plugins/...).
Output of __() should be escaped. There are some functions that merge translating and escaping functions (esc_attr__(), esc_html__()...).
#3
@henry.wright
3 years ago
- Keywords 2nd-opinion dev-feedback added
The src attribute value should be escaped. I understand the need to allow translators to change the URL to a different language but a better approach would be to make the URL filterable.
My proposal is this
- Make the URL filterable and then
- Escape the
srcattribute value
#4
@SergeyBiryukov
3 years ago
- Component changed from General to Plugins
- Focuses administration added
- Keywords needs-refresh added; 2nd-opinion dev-feedback removed
- Milestone changed from Awaiting Review to 6.0
Thanks for the patch!
As noted above, we can add esc_url() here, but the __() call should not be removed to allow for the URL to be translated. So I think something like this should work here:
<?php echo esc_url( __( 'https://wordpress.org/plugins/' ) . $api->slug ); ?>
#8
@SergeyBiryukov
3 years ago
- Owner set to SergeyBiryukov
- Resolution set to fixed
- Status changed from assigned to closed